Privacy Policy

Introduction

This Privacy Shield Policy (“Policy”) describes Nocimed™, Inc.’s (“Nocimed”) practices relating to the processing of Personal Data that Nocimed obtains from Data Subjects located in the European Union (EU) (hereinafter “EU Personal Data”). If there is any conflict between the policies in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

Nocimed complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Data Subjects in the European Union member countries (EU Data Subjects). Nocimed has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. All Nocimed employees who handle EU Personal Data are required to comply with the principles stated in this Policy. Nocimed employees who fail to abide by this Policy may be subject to disciplinary action. Nocimed is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Renewal/Verification

Nocimed will renew its EU-US Privacy Shield certification annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to the re-certification, Nocimed will conduct a self-assessment to ensure that its attestations and assertions about its treatment of Individual Patient Personal Data are accurate and that the company has appropriately implemented these practices.

Collection and Use of Personal Data, Data Integrity, and Purpose

Physicians located in the EU may collect EU Personal Data from Individual Patients, subject to such Individual Patients’ lawful consent, and may forward this Personal Data to Nocimed for the purpose of providing a NOCIGRAM-LS™ report. The following data may be obtained and transferred with an Individual Patient’s MRI/MRS record: MRI/MRS images, name, medical record number (MRN), height, weight, and age/birthdate. Per the Privacy Shield Principles, this information may be considered sensitive information.

The Physician, as data controller, determines the purposes of processing, what EU Personal Data is relevant for the purposes of processing, and the means of the processing of the EU Personal Data, and Nocimed will process said Personal Data on behalf of and under a written data processing contract concluded between Nocimed and the Physician. Nocimed will use the Personal Data transferred to Nocimed by the Physician for the sole purpose of analyzing the MRI/MRS data and providing a NOCIGRAM-LS™ report.

Nocimed will take reasonable steps to help ensure the integrity of the EU Personal Data. Nocimed and the Physician will also take reasonable steps to ensure that the EU Personal Data is reliable for its intended use, accurate, complete, and current.

Disclosures/Onward Transfers of Personal Data

Nocimed may engage other data processors for carrying out specific processing activities with regard to the EU Personal Data transferred by the Physician only under appropriate data processing contracts, as required by the Privacy Shield Principles and mirroring the data protection obligations that Nocimed has accepted under the data processing contract concluded between Nocimed and the Physician. Such recipients must agree to abide by confidentiality obligations and treat EU Personal Data as required under the Privacy Shield Principles. Nocimed will take reasonable and appropriate steps to ensure that the data processors use the EU Personal Data in accordance with the agreement and consistent with the Privacy Shield Principles. Should Nocimed receive notice of any unauthorized processing by the data processors, Nocimed will take reasonable and appropriate steps to stop the unauthorized processing and remediate. Nocimed will maintain copies of all of its agreements with data processors to which it transfers EU Personal Data and provide copies of the agreements to the Department of Commerce upon request.

Nocimed may engage third party service providers (data processors) that provide data storage and transfer services for the purposes of transmitting results (which include EU Personal Data) to the requesting Physician. Nocimed may also engage third party service providers (data processors) to provide it with on-site and cloud data storage services.

Nocimed also may only disclose EU Personal Data for other purposes when a Data Subject has consented to or requested such disclosure. Nocimed is liable for appropriate onward transfers of Personal Data to third parties.

Please be aware that Nocimed may be required to disclose EU Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Data Security

Nocimed takes reasonable and appropriate measures to protect EU Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. In so doing, Nocimed takes into account the risks involved in its processing of the EU Personal Data and the nature of the EU Personal Data it receives.

If Nocimed discloses EU Personal Data to a third party, Nocimed will contractually require that third party to provide the same level of protections to the EU Personal Data as required by the Privacy Shield Principles. Nocimed requires valid SOC 2 Type II reports from all third parties that will transfer or maintain Personal Data.

Accessing Personal Data

Nocimed personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.

Right to Access, Change, or Delete Personal Data

At any time, if the Individual Patient does not wish for their EU Personal Data to remain with Nocimed, they can contact the prescribing Physician to revoke consent for the use of their EU Personal Data to generate a NOCIGRAM-LS™ report. Upon notification of revocation of an Individual Patient’s consent, the EU Personal Data relating to the patient will be deleted from databases and file servers under Nocimed’s control without undue delay. The Individual Patient can obtain a copy of the Personal Data provided to Nocimed via the prescribing Physician. Requests for access, modification, corrections and completions can be made through the prescribing Physician or via Nocimed’s Privacy Policy Contact provided above. If the accuracy of the EU Personal Data relating to the Individual Patient should be contested, the Individual Patient may also, via the prescribing Physician, request Nocimed to restrict processing of said EU Personal Data for a period of time enabling Nocimed to verify the accuracy of the EU Personal Data.

Questions and Complaints

In compliance with the Privacy Shield Principles, Nocimed commits to resolve complaints about the privacy of EU Data Subjects and Nocimed’s collection or use of EU Personal Data. EU Data Subjects with inquiries or complaints regarding this Policy should first contact Nocimed at:

Nocimed has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If EU Data Subjects do not receive timely acknowledgment of their complaint, or if their complaint is not satisfactorily addressed, they may visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

Should an EU Data Subject complaint not be resolved through these channels, under limited circumstances, a binding arbitration option may be available to the EU Data Subject before a Privacy Shield Panel as further explained in the Privacy Shield Principles in order to address residual complaints not resolved by any other means. For additional information, please see Annex I of the Privacy Shield Principles https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Changes to This Policy

This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. Nocimed will make employees aware of changes to this Policy either by posting to our intranet, through email, or other means. Nocimed will notify Physicians if Nocimed makes changes that materially affect the way Personal Data that was previously collected is handled.

Defined Terms

Capitalized terms in this Privacy Policy have the following meanings:

“Individual Patient” means an individual patient in the EU for whom a prescribing Physician intends to receive a NOCIGRAM-LS™ Report from Nocimed. This individual patient can also be considered a “Data Subject,” depending on the circumstance.

“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.

“Personal Data” as defined under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”) means data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include data that is de-identified, anonymous, or publicly available.

“Physician” means the healthcare provider providing or prescribing treatment to the patient in the EU; this includes a member of that prescribing healthcare provider’s team who is authorized to obtain consent.

Nocimed

CE Marked. Parties interested in learning more or potentially becoming new Nocimed customers should please contact: customerservice@nocimed.com. CAUTION: Investigational device. Limited by United States Federal law to investigational use. Not available in the U.S.